Folks, I recently learned that SSL issuing places like GeoTrust, Verisign, etc can no longer issue "intranet" SSL certificates, like http://myintranet/ I've been doing this for my company for years (renewing them), and not really sure how to proceed - it seems we should create our own Cert Authorization and distribute a new, locally created cert to our enterprise.

Here's the problem - I need a step by step on how to do this:

1) Creating the cert on our own CA (could probably figure this one out)

2) Adding it to our server (without messing up the existing SSL - current cert expires in December)

3) Distributing the new cert to the enterprise. My biggest concern during this whole process is for our users not to get any cert warning errors, because that will flood the helpdesk...

Any tips, directions, advice? Thanks in advance!

5 Years
Discussion Span
Last Post by JorgeM

How where you informed that you could no longer purchase these certificates? I am not an expert in the cert services field, but how would they know that the certificate is being applied to a resource that is on the intranet rather than the internet?

Is it because you are not submitting the full URL of the resource such as intranet.mydomain.com?


Correct - when you go to renew one, it can't be done because they can only renew top level domains now...according to Geotrust, this is an across the board government regulation, etc...not their choice.


hmm..news to me. thanks for that info.

If that is the case, you could proceed with setting up a PKI infrastructure in the organization.

Most people just set up a windows server, joined to the domain, then install the Cert Serv role and keep the server onine and use Active Directory to store the root cert so that intranet clients will trust the root CA (this would generally take care of any potential issues with the clients). However, if your organization has security policies, this may not meet those requirements. on the Microsoft TechNet site, there are a few good articles on this topic including how-to with regard to the installation.

Adding a PKI infrastructure on your network will not impact any certs you have installed on your intranet web servers.

Edited by JorgeM


Great information - thank you! - doing it the way you suggest sounds like nothing even needs to be distributed, or installed on the clients, correct?


pretty much correct. Setting up an online Enterprise root CA is actually very easy. However, if you have requirements such as keeping the root CA offline and having a stand-alone, sub-ordinate issuing CA online, the design, installation, and management/maintenance can get pretty involved. I can tell you from doing this a few years ago.

You can even introduce more than one root enterprise CA into your directory. I would suggest that you read up on this topic a bit more before you bring one online.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.